Slack: Stored XSS in Slackbot Direct Messages

2014-03-22T10:54:27
ID H1:4561
Type hackerone
Reporter prakharprasad
Modified 2014-05-04T18:38:21

Description

Whenever a new team is created, Slackbot uses automated profile completion by asking a few questions from the user like the first name, last name, skype account etc. But instead of providing the correct details we provide <javascript:alert(document.cookie);> as input then Slackbot will cause the data go inside the anchor tag <a href=javascript:alert(document.cookie);>...</a> so clicking on the link will trigger XSS.

Video POC: https://www.dropbox.com/s/7fmbe4jnd923pd0/Dumbbot-XSS.mov